University of Minnesota Deploys Infoblox Appliances - Student Authentication and IP Address Assignment Dramatically Streamlined
Infoblox Inc. today announced that the University of Minnesota has deployed Infoblox appliances for delivery ofcore network services, including internal and external domain name resolution (DNS) and IP address assignment and management (DHCP/IPAM) –essential to daily operation of its extensive network and applications,enabling access to resources such as student registration, assignments andhealth records. In addition to bolstering reliability, manageability and security of itscore network services infrastructure, ensuring nonstop delivery of DNS and DHCP services, the University has implemented a unique authentication portal enabled by Infoblox appliances that allows more than 6,500residential hall students easy, secure and authorized network access.
The previous solution for network address management services did not meetthe University’s requirements. The University requirements expanded inscope, scale and functionality, focusing on self-service and security.
Mike LeVoir, network design engineer at the University of Minnesota,commented: “The Infoblox solution met the University’s requirements ofbuilt-in reliability and features that allow delegated management withdata-entry templates for the various departments.”
“Infoblox made the process of implementing our student authenticationportal seamless. Students used to have to locate their MAC address — notnecessarily intuitive for some — and then register their device with theIT department by physically visiting one of our centers. With Infoblox,the students don’t need to know their own MAC address, nor do they have toleave their dorm rooms. What used to take 30 minutes now takes seconds,and we moved the process from something cumbersome to something muchsimpler both for students and the IT department.”
On campus, there are 6 Infoblox appliances running the Infoblox DNSonepackage that includes Infoblox’s unique grid technology. The gridtechnology links the Infoblox appliances together so they can operate as aunified system for resiliency and management advantages. An HA pair isacting as grid masters, two are delivering DHCP services, and the remainingtwo are performing DNS services as authoritative masters. Additionally,there is one at the Univ. of Washington, which via grid technology is fullyintegrated with a remote authoritative master and the local six appliances.
The University is currently using the authenticated DHCP function in campusresidence halls with plans to roll it out to the entire University. Whenlogging on to the University network, students are automatically redirectedto a captive portal where they are shown a registration page and acceptableuse policy. Once authorized, students are then assigned aUniversity-issued IP address. Previously, students had to go to a physicallab on campus and register their device(s). It was a cumbersome and timeconsuming process. Now using the portal, students simply plug in theirdevice in their dorm room, log on and they are on the network after aseamless host registration process.
Can you be more specific? How does this solution gather the MAC addresses now?
Comment by Steven — October 28, 2008 @ 9:40 pm
The Infoblox appliance solution includes a “NAC Foundation Module” which collects MAC addresses and builds up a database of allowed devices. The Module gets MAC addresses when devices attempting to access the network issue DHCP requests (the Infoblox appliance includes a DHCP server). If the MAC address of a requesting device matches an address in a ‘MAC Filter List’ configured on the appliance, the requesting device will receive an IP address from an address range associated with the matched MAC Filter. If the MAC address doesn’t match any filter, the DHCP response will provide the IP address of a captive Web portal included on the appliance. This address routes only to the appliance. Similar to accessing the Internet in a hotel or public space, the user launches their browser and is redirected to customizable Web pages on the captive portal. The portal includes pages that enable the user to authenticate or to register as a guest in order to get an IP address routable on the production network. The NAC Foundation Module supports a number of back-end authentication options, including RADIUS, LDAP and Microsoft AD. Following successful authentication, the policy associated with the user is retrieved (e.g. via AD group attributes), and their MAC address is inserted by the NAC Foundation Module into the appropriate DHCP MAC filter. The initial IP address of the Web portal expires after 30 seconds, and when the device issues a new DHCP request it’s MAC address is now present in a MAC filter and the appropriate IP is returned to the user. So in short, the captive portal authentication process is used to automatically populate the MAC addresses in the DHCP server.
Comment by John Furrier — October 29, 2008 @ 9:53 pm